Easier WinDbg scripting with Javascript for malware research
Vanja Svajcer, Cisco
With its ability to use the operating system symbols and recognise many, even undocumented, system structures, WinDbg is a powerful tool and effectively the only debugger used to analyse kernel mode malware and inspect objects kept internally by Windows in a live debugging session or by analysing the full memory dump.
Unfortunately, the WinDbg learning curve has been traditionally steep, due to a large number of often unintuitive debugging commands, rudimentary user interfaces and arcane scripting syntax.
Over the years there have been several more and less successful attempts to make WinDbg scripting simpler for the user, with the most widely accepted interface being the pyKd Python extension. Still, the WinDbg scripting remained far from being user friendly.
Developers behind Debugging Tools for Windows have been aware of WinDbg limitations for some time and recently they put a lot of effort into making WinDbg easier for the user. They introduced the new GUI in WinDbg Preview (available through Windows Store) but also added a new Debugger Object Model, with dx command to inspect it, together with NatVis visualisation specification XML language, and LINQ queries which allow the user to filter the results of the dx debugging command.
With the Debugger Object Model, they exposed many of the operating system objects tracked internally by the debugger such as processes, threads, handles, stacks and others through a user friendly hierarchical namespace. Users can simply inspect Debugger.Sessions.First().Processes to enumerate all processes in the current session.
Finally, they decided to create a new scripting interface which allows the user to script the new user friendly features, inspect the object model and augment it by adding new object definitions to its namespace. They have done that by creating a WinDbg extension that integrates the Microsoft Chakra Javascript engine and exposes the debugger object model to it.
Although many researchers will question the choice of the programming language for the new scripting interface, there is no doubt that the latest Javascript extension makes the scripting within WinDbg much more intuitive than any of the previous attempts.
This session will provide the user with information required to leverage the new Debugger Object Model and the Javascript scripting interface for malware research by walking through a real world analysis of a rootkit driver used in a recent crypto mining campaign. The attendees will be able to see the new scripting interface in action in a real world analysis scenario and go back to their own research with a few new WinDbg scripting tricks in their pockets.
This research is a part of a longer term effort to make kernel debugging and manual analysis more widely practised by malware researchers.
Vanja Svajcer
“Vanja Svajcer works as a Technical Leader at Cisco Talos Threat Intelligence organisation.
He is a security researcher with 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise.
Vanja enjoys tinkering with automated analysis systems, reversing binaries and Android malware. He thinks time spent scraping telemetry data for signs of new attacks is well worth the effort.
In his free time, he is trying to improve his acoustic guitar skills and often plays basketball, which at his age is not a recommended activity.”